CVE-2025-41117 — Cross-site Scripting in Grafana

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 98.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Grafana Grafana Grafana-enterprise Grafana

Timeline

PublishedFeb 12

Description

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDgrafana/grafana12.2.0 — 12.2.4+3

▶CVEListV5grafana/grafana_grafana12.2.0 — 12.2.4+security-01+1

▶CVEListV5grafana/grafana_grafana-enterprise12.2.0 — 12.2.4+security-01+1

🔴Vulnerability Details

OSV

CVE-2025-41117: Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser↗2026-02-12

▶

GHSA

GHSA-cqp7-wf4c-3xgc: Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser↗2026-02-12

▶

CVEList

XSS in Grafana Explore stack trace↗2026-02-12

▶

📋Vendor Advisories

Red Hat

github.com/grafana/grafana: Cross site scripting in Grafana Explore stack trace↗2026-02-12

▶

🕵️Threat Intelligence

Wiz

CVE-2025-41117 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶